feat(security): make enable_acl and mandatory_auth mutable (#702)

XiaoMi · Dec 24, 2020 · ee8d76b · ee8d76b
1 parent 1b6bb62
commit ee8d76b
Show file tree

Hide file tree

Showing 6 changed files with 26 additions and 11 deletions.
diff --git a/include/dsn/http/http_server.h b/include/dsn/http/http_server.h
@@ -6,11 +6,16 @@
 
 #include <dsn/utility/errors.h>
 #include <dsn/utility/flags.h>
+#include <dsn/tool-api/task_code.h>
 
 namespace dsn {
 
 DSN_DECLARE_bool(enable_http_server);
 
+/// The rpc code for all the HTTP RPCs.
+/// Since http is used only for system monitoring, it is restricted to lowest priority.
+DEFINE_TASK_CODE_RPC(RPC_HTTP_SERVICE, TASK_PRIORITY_LOW, THREAD_POOL_DEFAULT);
+
 enum http_method
 {
     HTTP_METHOD_GET = 1,
@@ -104,4 +109,8 @@ extern void start_http_server();
 // TODO(wutao): pass `svc` as a std::unique_ptr.
 extern void register_http_service(http_service *svc);
 
+inline bool is_http_message(dsn::task_code code)
+{
+    return code == RPC_HTTP_SERVICE || code == RPC_HTTP_SERVICE_ACK;
+}
 } // namespace dsn
diff --git a/src/http/http_server_impl.h b/src/http/http_server_impl.h
@@ -35,8 +35,4 @@ class http_server : public serverlet<http_server>
 
 extern void http_response_reply(const http_response &resp, message_ex *req);
 
-/// The rpc code for all the HTTP RPCs.
-/// Since http is used only for system monitoring, it is restricted to lowest priority.
-DEFINE_TASK_CODE_RPC(RPC_HTTP_SERVICE, TASK_PRIORITY_LOW, THREAD_POOL_DEFAULT);
-
 } // namespace dsn
diff --git a/src/runtime/security/access_controller.cpp b/src/runtime/security/access_controller.cpp
@@ -26,6 +26,8 @@
 namespace dsn {
 namespace security {
 DSN_DEFINE_bool("security", enable_acl, false, "whether enable access controller or not");
+DSN_TAG_VARIABLE(enable_acl, FT_MUTABLE);
+
 DSN_DEFINE_string("security", super_users, "", "super user for access controller");
 
 access_controller::access_controller() { utils::split_args(FLAGS_super_users, _super_users, ','); }

diff --git a/src/runtime/security/negotiation.cpp b/src/runtime/security/negotiation.cpp
@@ -32,6 +32,7 @@ const std::set<std::string> supported_mechanisms{"GSSAPI"};
 
 DSN_DEFINE_bool("security", enable_auth, false, "whether open auth or not");
 DSN_DEFINE_bool("security", mandatory_auth, false, "wheter to do authertication mandatorily");
+DSN_TAG_VARIABLE(mandatory_auth, FT_MUTABLE);
 
 negotiation::~negotiation() {}
 

diff --git a/src/runtime/security/negotiation_manager.cpp b/src/runtime/security/negotiation_manager.cpp
@@ -24,6 +24,7 @@
 #include <dsn/tool-api/zlocks.h>
 #include <dsn/dist/failure_detector/fd.code.definition.h>
 #include <dsn/dist/fmt_logging.h>
+#include <dsn/http/http_server.h>
 
 namespace dsn {
 namespace security {
@@ -37,7 +38,8 @@ inline bool is_negotiation_message(dsn::task_code code)
 
 inline bool in_white_list(task_code code)
 {
-    return is_negotiation_message(code) || fd::is_failure_detector_message(code);
+    return is_negotiation_message(code) || fd::is_failure_detector_message(code) ||
+           is_http_message(code);
 }
 
 negotiation_map negotiation_manager::_negotiations;

diff --git a/src/runtime/test/negotiation_manager_test.cpp b/src/runtime/test/negotiation_manager_test.cpp
@@ -23,6 +23,7 @@
 #include <dsn/utility/flags.h>
 #include <dsn/dist/failure_detector/fd.code.definition.h>
 #include <http/http_server_impl.h>
+#include "nfs/nfs_code_definition.h"
 
 namespace dsn {
 namespace security {
@@ -90,9 +91,11 @@ TEST_F(negotiation_manager_test, on_rpc_recv_msg)
                  {RPC_NEGOTIATION_ACK, false, true, true},
                  {fd::RPC_FD_FAILURE_DETECTOR_PING, false, true, true},
                  {fd::RPC_FD_FAILURE_DETECTOR_PING_ACK, false, true, true},
-                 {RPC_HTTP_SERVICE, true, true, true},
-                 {RPC_HTTP_SERVICE, false, false, true},
-                 {RPC_HTTP_SERVICE, false, true, false}};
+                 {RPC_HTTP_SERVICE, false, true, true},
+                 {RPC_HTTP_SERVICE_ACK, false, true, true},
+                 {service::RPC_NFS_COPY, true, true, true},
+                 {service::RPC_NFS_COPY, false, false, true},
+                 {service::RPC_NFS_COPY, false, true, false}};
 
     for (const auto &test : tests) {
         FLAGS_mandatory_auth = test.mandatory_auth;
@@ -119,9 +122,11 @@ TEST_F(negotiation_manager_test, on_rpc_send_msg)
                  {RPC_NEGOTIATION_ACK, false, true, true},
                  {fd::RPC_FD_FAILURE_DETECTOR_PING, false, true, true},
                  {fd::RPC_FD_FAILURE_DETECTOR_PING_ACK, false, true, true},
-                 {RPC_HTTP_SERVICE, true, true, true},
-                 {RPC_HTTP_SERVICE, false, false, true},
-                 {RPC_HTTP_SERVICE, false, true, false}};
+                 {RPC_HTTP_SERVICE, false, true, true},
+                 {RPC_HTTP_SERVICE_ACK, false, true, true},
+                 {service::RPC_NFS_COPY, true, true, true},
+                 {service::RPC_NFS_COPY, false, false, true},
+                 {service::RPC_NFS_COPY, false, true, false}};
 
     for (const auto &test : tests) {
         FLAGS_mandatory_auth = test.mandatory_auth;